Showing results for 
Search instead for 
Did you mean: 

TrafficScript rule to protect against "Shellshock" bash vulnerability (CVE-2014-6271)


The following TrafficScript rule rejects requests attempting to exploit the recently discovered vulnerability in bash (CVE-2014-6271, processing of trailing strings after function definitions in the values of environment variables):


# the most likely attack is via http headers as they become env variables

foreach( $header in hash.values( http.getHeaders() ) ) {
   if( string.contains( $header, "() {" ) ) {
    $vehicle = " HTTP header ";

# some apps might use form parameters as environment variables as well:
$qs = http.getQueryString();
if( string.contains( $qs, "() {" ) ) {
   $vehicle .= ($vehicle ? "and query string ":" query string ");

if( http.getMethod() == "POST" ) {
foreach( $value in hash.values( http.getFormParams() ) ) {
      if( lang.isArray( $value ) ) {
         $value = array.join( $value, ":" );
      if( string.contains( $value, "() {" ) ) {
         $vehicle .= ($vehicle ? "and form param ":" form param ");

if( $vehicle ) {
   $badboy = request.getRemoteIP();
   $country = geo.getCountry( $badboy );
   log.warn( "Attempted CVE-2014-6271 attack via"
             . $vehicle . "from " . $badboy . " in " . $country );

The rule above can be used to protect a web application that executes a vulnerable version of the bash command interpreter, like cgi- or fcgi-based applications.


Since the SteelApp Web UI is such an application itself, it is also vulnerable if the software is running in an environment where "/bin/sh" is a vulnerable version of bash (this might be the case if you have installed SteelApp on Linux, but is *NOT* the case if you are running the Riverbed provided Virtual Appliances).  The rule above can of course be used to secure SteelApp's administration server as well.


To do that, you have to change the admin server's port to, for example, 9091, restrict its listening socket to localhost, and create a loopback virtual server on port 9090 that uses the above rule.  This loopback virtual server's default pool has to be ssl-encrypting and must have node localhost:9091.


SteelApp Web App Firewall already has an updated baseline that detects the attack on bash, so if your web application is secured by SteelApp Web App Firewall you only need to install the baseline update.



For detailed information on how this vulnerability CVE-2014-6271 affects Riverbed products, please subscribe to this support knowledge base article:

Version history
Revision #:
1 of 1
Last update:
‎09-25-2014 08:36:AM
Updated by: